Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

Last week at VMworld 2013 I learned about AFORE Solutions (Yeah, they capitalize it all), a ten-year-old software company with a new product called CypherX which freaking rocks!

The best way to describe CypherX is that it's kind of like MAM for Windows. They have an agent you can use to protect certain Windows executables, and when they're protected, anything that goes "out" of the application is encrypted—files saved, clipboard, etc. The cool thing is multiple Windows applications can be configured to share the same encryption, so you could allow work email to save files which could be opened by work Visio, but if a user emailed the file to himself then it wouldn't work on their home Visio.

What's really cool about CypherX is since it encrypts any files a protected app lays down, you can let your users use whatever file sharing or file syncing platform they want. If they have a CypherX-protected app on multiple computers, great! And if not, no problem!

The way I found out about AFORE is that they had a booth at VMworld right next to TechTarget. (In other news: TechTarget has a booth at VMworld! We do the "Best of VMworld" awards for them and in return they give us a booth.) Actually AFORE won something (or was a finalist? I forget) for one of their other products in the "Best of VMworld" awards, and afterwards they came up to me (I was the MC for the awards show) and said, "You need to come visit us." I told them that I only tracked the EUC space, and they said, "Yeah, we have a VDI product too!" While I was looking for an excuse to blow them off, they added, "And we're right next to your booth!"

So I ended up talking to AFORE Sr. Product Manager Tim Bramble. He gave me the following demo:

My only critique is that they seem to be targeting this product for VDI environments, but it seems to me that this is something that would be useful to all 500 million corporate Windows desktops and laptops in the world? Seriously, I've never seen anything like this before, and it seems awesome. What do you think?

Our Books

Comments

appdetective
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Thu, Sep 5 2013 1:43 PM

@Brian in your Visio example how do you run two of the same exe versions on your personal machine?

For that to work they would have to tag the work Visio exe somehow to distinguish it from all other versions. Not sure how they claim to do that without breaking anything.

This is still a container using encryption which is vulnerable on a rooted machine. The control is applied at the application level as opposed to the data itself.

mkarasik
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Thu, Sep 5 2013 2:40 PM

The example of Visio files was about two different machines, not about two Visio instances on the same machine, so this should answer your first question I believe.

Can you mention any software security product which isn't vulnurable on the rooted machine by definition?

appdetective
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Thu, Sep 5 2013 3:13 PM

@mkarasik You are right once rooted you are vulnerable, however approaches like Bromium with hardware based sandboxing provide an alternative approach that enable more use cases like the Visio example.

If the Visio use case doesn't work, then IT is just building a big Cybertrust bubble which increases the size of the attack surface and kills usability.

Tim Bramble
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Fri, Sep 6 2013 11:10 AM

@appdetective Thanks for your comments.

With respect to the Visio question, the scenario that Brian mentioned was a user using Visio on his or her work machine and sending the file to a home machine. CypherX policy grants data access to authorized users using certified applications on validated machines. All three aspects of a given policy must be satisfied in order for CypherX to decrypt the data. Since the user’s home machine is not a “validated” machine, the data would not be decrypted, even if the user had installed the CypherX client on his or her machine. If you are asking about using the same application on the same machine within both a trusted (for sensitive data) and untrusted context (for other, non-sensitive data), CypherX can address this as well.

Clearly, attack vectors continue to grow in sophistication and it’s a constant arms race to equip organizations with security tools to protect against all forms of threats – experts concur there is no silver bullet solution and having a layered security strategy (that continually evolves) is the best line of defense. We believe CypherX provides a new and pragmatic approach that will equip organizations with a needed layer to mitigate advanced threat vectors with minimal impact on business processes and users.

appdetective
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Mon, Sep 9 2013 9:39 AM

@Tim Bramble. Yes I'm asking about the same machine use case. How do you handle that situation? Determining what data the user can work on using a single app for both personal and work if you control the app? I assume this implies you tag the data? But then I wonder how do you know if data created by the user is for work or personal?

Tim Bramble
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Mon, Sep 9 2013 8:06 PM

@appdetective: There are several ways to handle the situation you describe. A not-so-elegant method would be to have two versions of the same application that differ in non-functional ways (e.g. different properties), one locked down for work use and the other not locked down, for personal use. Fortunately, we have a more elegant solution but we aren't disclosing details on it yet.

appdetective
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Tue, Sep 10 2013 12:21 PM

@Tim Well look forward to the details when you are ready. Hope to see a blog post on it on BM.com.

Tim Bramble
wrote
re: Brian's new vendor crush: AFORE's security wrapping for Windows desktop apps should be on every desktop in the world!

on
Wed, Sep 11 2013 12:06 PM

@app Thanks, appdetective. We look forward to sharing the details and would love to have another post on this blog!

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.